Russia, Russia, Russia: What Clinton Or Trump Can Do About Nation-State Hacking Gone Wild

US mulls 'proportional' response to Democratic Party hacks in midst of an unprecedented presidential campaign clouded by cybersecurity concerns (among other things).

Whether the next President of the United States likes it or not, she or he will be faced with a whole new era of nation-state cyberattacks that now have crossed a fine line from accepted cyber espionage to a form of cyberattacks aimed at sabotaging the election season.

In the wake of a rare declaration by the Office of the Director of National Intelligence and US Department of Homeland Security last week that named Russia as the actor behind recent hacks of the Democratic National Committee (DNC) and personal emails of US political officials and organizations, the White House this week said the US will respond in a "proportional" manner to the breaches, which have gone glaringly public with online data dumps via WikiLeaks.

Even so, Russia's propaganda-driven campaign in the breach and doxing of the DNC and other Democratic Party operatives, takes this destructive cyber espionage activity to a whole new level. While most experts say it's unlikely Russia can or will be able to go as far as hack US voting systems to alter the vote-count, there are plenty of ways for the nation-state to sow seeds of distrust, doubt, and fear, in the election.

This threat won't end after Nov. 8, either.

"We have never been here before. No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber," says security expert Cris Thomas, aka Space Rogue, who says the administration needs to provide some evidence of Russia's involvement in the breach.

Thomas says the US should be careful with attribution "and set the stage now as to what is and is not acceptable as we move into the future, when these sort of actions will become more and more commonplace," he says.

Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, at a security conference hosted by The Washington Post last week, said the administration would consider tools including "economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be."

An Executive Order issued in April 2015 by President Barack Obama gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO, which the administration has not used in any case as of yet, allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

"Our primary focus will be on cyber threats from overseas. In many cases, diplomatic and law enforcement tools will still be our most effective response," Obama said when announcing the Executive Order. "But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."

In response to the US allegations of Russia's election-hacking activities, Russian President Vladamir Putin this week said the attacks "have nothing to do with Russia's interests."

"They started this hysteria, saying that this (hacking) is in Russia's interests. But this has nothing to do with Russia's interests," Putin said at a Moscow business forum, according to Reuters.

Putin appeared to shift the discussion to the contents of the information breached and dumped publicly via WikiLeaks. "Everyone is talking about 'who did it' [the hacking]," said Putin. "But is it that important? The most important thing is what is inside this information."

45th President In The Hacker Hot Seat

While the Obama administration wrestles with how to implement its retribution policy for the first time, Russia's alleged hacking activity isn't likely to subside after the new President is elected, nor is the problem of nation-state hacking at this new level. So either new President Hillary Clinton or new President Donald Trump will be forced to tackle this new chapter in nation-state cyber espionage.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says the next President of the US will have some big challenges here. "Ultimately, nations have to behave like economic actors," he says.

Retribution, like attribution, to a cyberattack, can be a slippery slope.

Unlike the diplomatic agreement between Obama and China's Xi Jinping, where both nations promised not to conduct cyber espionage for economic gain in the wake of China's infamous intellectual property theft-related hacks, a deal with Russia would be much trickier and less likely. "You're going to have to do it adversarily with Russia," Bambenek says. There's definitely danger of escalation and "tit-for-tat" responses, he says.

"History tends to favor sanctions in these matters," he says. Take the US's economic sanctions against Russia in response to Putin's aggression in Crimea, he says. "That remains a pain point for Russia."

But Russian doctrine supports escalation as a way to de-escalate tensions or conflict, notes Christopher Porter, manager of the Horizons team at FireEye. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

Even if the US were to out the tools or infrastructure used by the Russian attack groups, it likely wouldn't pressure Russia to dial back the hacks. Porter points to a previous year-long study by FireEye of Russian threat groups that concluded that even after being outed more than 20 times in one year, the groups continued their operations.

"It had no demonstrative effect on their ability to compromise" their targets, he says. "They are well-resourced" and FireEye has seen them just shift their operations with infrastructure from outside Russia or with other resources, he says.

FireEye's Porter says there are two things the next US administration could do differently to handle these attackers. "They need to have better delegation for decision-making on the US side," he says. "Don't wait until a lot of incidents pile up before formulating a response. The White House has to weigh in on every decision now."

Second, don't treat state-sponsored hacks like a legal case. "We still talk about state-sponsored attacks as though they are a case for a lawyer, and we treat them like we have to prove them beyond a reasonable doubt … with forensic evidence," he says.

That approach doesn't work because savvy nation-states can easily sow reasonable doubt in their attacks, he says.

New Normal Norms Needed

Ultimately, without any global cyber-norms from which to operate, the US is limited in its response.

"I would love to see the next president somehow reach consensus with other nations as to what is and what is not acceptable in the world of cyber and what responses are acceptable to nations who violate those norms," Thomas, aka Space Rogue, says.

That would entail defining just what cybersecurity violations would entail when it comes to nation-states. "We should have very defined sanctions regarding hacking and cyberwarfare," says Miller Newton, president and CEO of data encryption company PKWARE.

But neither Presidential candidate has been eager to embrace the cybersecurity policy issues, despite both of their campaigns directly being drawn into the Russian hacks: Clinton via the DNC email breach as well as that of her campaign manager John Podesta, and Trump, who went so far as to say in the most recent debate that "maybe there is no hacking" in reference to the US government calling out Russia over the alleged data breaches.

Newton says the candidates aren't emphasizing cybersecurity because it's just not a hot topic for voters. "It's not a vote-getting issue," he says. "They [the candidates] don't want to hit the privacy versus national security issue head-on [either]. It's a quagmire: there is no easy solution, but it needs to be front and center."

But apparently, millennials do care about cybersecurity policy: more than half of US adults ages 18-26 surveyed by Raytheon and the National Cyber Security Alliance (NCSA) say that a candidate's position on cybersecurity weighs into their decision to support that candidate. Half don't think cybersecurity has been sufficiently discussed in this election season.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

@Kelly: Judging by the Millennials I have come to know, I think it's more a matter of wanting to appear as if they fit in and are doing the right thing.

If Millennials as a whole truly cared -- genuinely cared -- about information security and data privacy to the level being discussed here, they sure as shootin' wouldn't use so many apps or live on their mobile devices.

Good point about "leading" questions in surveys. But I think it's also not surprising that millennials, who unlike their parents grew up with technology/Internet, are more concerned about cybersecurity.

I question the survey results reported in that last graf. It is an automatically leading question merely by virtue of asking it. It makes people feel like they *should* be concerned about cybersecurity when it comes to politics, even if they're not -- or it triggers in people the feeling that they, as rational human beings, OF COURSE factor cybersecurity into their voting decision-making, even when they do not.

I seriously doubt that cybersecurity is a significant factor for the vast majority of US voters.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.